In an Information Technology (IT) environment, where cloud-based system services are consumed through a Cloud Service Broker, it can be important for the enterprises, subscribers, or customers of the cloud services to determine the origin of the services, the origin and destination of data, and finally the storage of data. The destination of the data and the storage of the data may or may not be the same location. For example, the destination may be a client machine, but the long term storage of the data may be a more permanent computer storage device remotely located from the client device. This may be important for a variety of reasons, some of which are political in nature, such as the degree of access that the pertinent government has to the data, and the access that the government permits third parties, or even the subscriber itself, to have to the data.
Consequently, it can be important for a subscriber of cloud services to know the country or countries in which its data will be hosted. This can be important because the location of the data directly affects the choice of the law that will govern the handling of, the access to, and the storage of the data. For example, if the data resides in a particular country, it is likely that the law of that country will govern access to the servers and/or the computer storage media where the data are hosted. If a client demands access to its data, the law of that country may apply and may restrict access to that data. Additionally, the law of that country may permit the government of that country to have unlimited access to the data stored in its territory. By contrast, if the data is stored in another country, there might be stricter restrictions to government access to data stored in that country.
A global company that uses cloud services from a variety of providers (i.e., hybrid cloud usage scenarios) may want to know where the personal data of its employees, clients, and others is, or will be, located. With this knowledge, the company can address the specific restrictions that foreign data protections laws may impose. For example, a particular company may not oppose the use of a cloud service provider in one country, but it might object to the transfer of its data to another country. Knowing where the cloud service provider will host the data is a prerequisite to implementing the required measures to ensure compliance with local laws that restrict the cross border flow of data.